Ireland fines TikTok €530 million following inquiry into transfers of users' personal data

The Irish Data Protection Commission (DPC) has fined TikTok €530 million and ordered corrective measures following an inquiry into the transfers of EEA user data to China. 

The inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for the social media platform, to analyse the legality of TikTok's transfers of personal data of users in the EEA to China. Additionally, it examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by GDPR.

The inquiry found that TikTok had infringed GDPR regarding its transfers of EEA user data to China and its transparency requirements. Following its findings, a fine was administered totalling €530 million along with an order which requires TikTok to bring its processing into compliance within 6 months. 

The inquiry's decision also includes an order suspending the social media platform's transfers to China if processing is not brought into compliance within that timeframe. 

READ NEXT: Uisce Éireann issues hosepipe ban for three counties amid 'sharp drop in water levels'

Commenting on the decision, DPC Deputy Commissioner Graham Doyle said: "The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.

"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.

"As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards."

Throughout the inquiry, TikTok informed the DPC that it did not store EEA user data on servers in China. However, in April of this year they told the DPC that they had discovered in February limited EEA user data had in fact been stored on servers in China, contrary to their previous evidence. TikTok informed the DPC that this discovery meant that they had provided inaccurate information to the inquiry.

Deputy Commissioner Doyle added: "The DPC is taking these recent developments regarding the storage of EEA user data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities."

The DPC plans on publishing the full decision and further related information in due course.